Solved: SGE2010 clients need to route through ASA 5505 & 3750

mega5llc1 · ‎05-18-2011

Please see the included diagram.

I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.

The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).

I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1.

The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.

Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?

Now, the monkey wrench. The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface.

I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.

Any assistance would be greatly appreciated.

Scott

David Hornstein · ‎05-19-2011

Hi Scott,

Ok you will have multiple IP networks connected onto the SGE2010...this is fine as the SWitch can run in Layer 3 mode.

But will the ASA5505 or the SGE2010 be the default gateway given to PC clients that are hanging off the SGE2010 switch ports?

If the SGE2010 is made the default gateway for PC clients, the SGE2010 will switch at Layer 3, packets between appropriate subnets.

( depending if you have added some static routes inside your SGE2010)

If the ASA is the default gateway for PC hosts , the ASA will route the traffic accordingly.

regards Dave

View solution in original post

David Hornstein · ‎05-19-2011

Hi Scott,

hmm I wonder, the base license on the ASA5505 supports three VLANs, usually, which includes a DMZ..

If you can't add a DHCP server to the ASA, is your problem that you have a base license and not the security license.

That explains why you can't add another eth0/x interface.

If you wish to have trunking support on this base ASA5505, you can purchase a upgrade license, here is a reference;

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html

here is a suggested option

Additional Recommended Options
Cisco ASA 5505 Security Plus license (provides stateless Active/Standby high availability, dual ISP support, DMZ support, VLAN trunking support, and increased session and IPSec VPN peer capacities)		ASA5505-SEC-PL

mega5llc1 · ‎05-19-2011

David

Thank you for the information. As this is probably something that will be needed in the near future, I'm glad to have this information. However, I was able to sovle my problem and (i think) develop a plan for finishing up all of my goals.

As it turns out, when i added the eth0/2 switched interface to the same vlan that the INSIDE interface was on - vlan 1000 - the one used by the 3750, i was then able to get out from a moved client through the 2010, then out the 5505.

I was under the impression that DHCP only served up gateways in their own subnet unless directly connected. My server guy and I have proven this false. We are going to put in a DHCP server to service the new moved clients on the .253 network. This way, we remove the DHCP server off of the 3750 and make the new clients gateway the 4.2 interface on the 5505. I will have to change the 3750 default gateway to the outbound 5520 interface so that the servers only route through that to get out; Then configure static routes on the 2010 that poing to subnets on the production network via any one of the IP addresses on the 3750.

Question is, will that work? Will the link between the two switches have to be on the same vlan? if so, how will the moved hosts on the 2010 know how to get to the other subnets on the 3750, where production is housed?

David Hornstein · ‎05-19-2011

Hi Scott,

Ok you will have multiple IP networks connected onto the SGE2010...this is fine as the SWitch can run in Layer 3 mode.

But will the ASA5505 or the SGE2010 be the default gateway given to PC clients that are hanging off the SGE2010 switch ports?

If the SGE2010 is made the default gateway for PC clients, the SGE2010 will switch at Layer 3, packets between appropriate subnets.

( depending if you have added some static routes inside your SGE2010)

If the ASA is the default gateway for PC hosts , the ASA will route the traffic accordingly.

regards Dave

mega5llc1 · ‎06-02-2011

I was able to resolve this by directly connecting the ASA 5505 and the SGE2010.

1. I put an IP addresses on the SGE2010 in the same subnet as the inside interface IP on the 5505

2. I put that eth2 interface on the 5505 in the same vlan as the rest of my internal transit network connections: vlan 1000

Turns out that even with the switch left on all native vlan1 configurations, it works!

Thanks to everyone who replied.